Methods and apparatus for detecting cross-site request forgery (csrf) attacks include a csrf detector that analyzes http communications for information indicative of a csrf attack. The csrf detector may analyze http responses from a website for csrf code that automatically performs unauthorized access of an online account of a user of a user computer upon receipt and execution of the csrf code in the user computer. The csrf detector may also analyze http requests from a web browser for information indicative of a csrf attack.
|
9. A computer having memory and a processor for executing computer-readable program code in the memory, the memory comprising:
a cross-site request forgery (csrf) detector comprising computer-readable program code, wherein the csrf detector detects a csrf attack that automatically performs an unauthorized access of an online account of a user of a user computer when csrf code is received and loaded in the user computer, the csrf detector being configured to:
detect presence of the csrf code in an http (Hypertext Transfer Protocol) response sent by a website to the user computer by determining whether a type of content expected to be received by a web browser running in the user computer is consistent with content that will be provided to the web browser,
receive an http request from the web browser,
analyze the http request for information indicative of the csrf attack, and
perform a security action when the csrf code is found in the http response,
and perform the security action when the http request includes information indicative of the csrf attack.
1. A computer-implemented method of detecting a cross-site request forgery (csrf) attack, the method comprising:
receiving an http (Hypertext Transfer Protocol) response from a website, the http response being responsive to a request for a web page previously submitted from a user computer to the website;
analyzing the http response for presence of csrf code by determining whether a type of content expected to be received by a web browser running in the user computer is consistent with content that will be provided to the web browser, the csrf code comprising computer-readable program code which automatically accesses an online account of a user of the user computer upon receipt and execution of the csrf code in the user computer without authorization from the user;
performing a security action when the csrf code is found in the http response;
receiving an http request from the web browser;
analyzing the http request for information indicative of a csrf attack; and
performing the security action when the http request includes information indicative of the csrf attack.
2. The method of
forwarding the http response to the web browser running in the user computer when the csrf code is not found in the http response.
3. The method of
forwarding the http request to a destination computer when the http request does not include information indicative of the csrf attack.
4. The method of
5. The method of
7. The method of
8. The method of
11. The computer of
12. The computer of
13. The computer of
14. The computer of
|
1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting computer attacks.
2. Description of the Background Art
Cross-site request forgery (“CSRF”) is a type of computer attack where unauthorized transmissions are sent from a user computer to access websites that trust the user. The transmissions resulting from a CSRF attack are “unauthorized” in that the user has not authorized or initiated the transmissions and is not even aware that the transmissions were sent out from his computer. The unauthorized transmissions may involve unauthorized access of a user's online account.
A CSRF attack may begin with a hacker or other malicious individual introducing CSRF code in a legitimate website 170 that the user visits (arrow 161). The CSRF code may comprise computer-readable program code that automatically performs unauthorized access of an online account upon receipt and execution in the victim user computer. A user employing a web browser 173 may request a web page from the website 170 (arrow 162). In response, the website provides the web page (arrow 163), which may include the CSRF code. When the CSRF code is received and executed in the user's computer, the CSRF code sends unauthorized transmissions to access the user's online account in the website 171 (arrow 164). For example, the CSRF code may comprise the following script:
<Img src=http://somebank.com/transferfunds.asp?amnt=10000&acc=someone>
where “somebank.com” is the domain of the website 171. If the user keeps authentication information for the website 171 in a cookie, and if the cookie has not expired, the script will transfer funds out of the user's account without the user's approval when the script is executed in the user's computer.
A popular technique of guarding user computers from websites that contain malicious codes is to consult a web reputation service. The web reputation service maintains a database of malicious websites. The use of a web reputation service, however, is ineffective against CSRF attacks because the website serving the CSRF code is typically a legitimate website. Also, a typical web reputation service cannot provide real-time protection from CSRF attacks because it is difficult to update a reputation database fast enough to include newly compromised websites.
In one embodiment, methods and apparatus for detecting cross-site request forgery (CSRF) attacks include a CSRF detector that analyzes HTTP communications for information indicative of a CSRF attack. The CSRF detector may analyze HTTP responses from a website for CSRF code that automatically performs unauthorized access of an online account of a user of a user computer upon receipt and execution of the CSRF code in the user computer. The CSRF detector may also analyze HTTP requests from a web browser for information indicative of a CSRF attack.
These and other features of the present invention will be readily apparent to persons of ordinary skill in the art upon reading the entirety of this disclosure, which includes the accompanying drawings and claims.
The use of the same reference label in different drawings indicates the same or like components.
In the present disclosure, numerous specific details are provided, such as examples of apparatus, components, and methods, to provide a thorough understanding of embodiments of the invention. Persons of ordinary skill in the art will recognize, however, that the invention can be practiced without one or more of the specific details. In other instances, well-known details are not shown or described to avoid obscuring aspects of the invention.
Being computer-related, it can be appreciated that some components disclosed herein may be implemented in hardware, software, or a combination of hardware and software (e.g., firmware). Software components may be in the form of computer-readable program code stored in a computer-readable storage medium, such as memory, mass storage device, or removable storage device. For example, a computer-readable storage medium may comprise computer-readable program code for performing the function of a particular component. Likewise, computer memory may be configured to include one or more components, which may be executed by a processor. Software components may be implemented in logic circuits, for example. Components may be implemented separately in multiple modules or together in a single module.
Referring now to
In the example of
The web browser 210 may comprise a commercially available web browser, such as the Microsoft Internet Explorer™ web browser.
The CSRF detector 212 may comprise computer-readable program code for detecting a CSRF attack. In one embodiment, the detector 212 is configured to intercept HTTP communications to and from the web browser 210. For example, the CSRF detector 212 may be configured as a local proxy for the web browser 210.
The detector 212 may be configured to receive and analyze HTTP (hypertext transfer protocol) communications, such as HTTP requests and responses, to and from the web browser 212 for information indicative of a CSRF attack. In one embodiment, the detector 212 detects a CSRF attack by looking for CSRF code in an HTTP response from a website. CSRF code comprises computer-readable program code, such as an HTML tag or script, that automatically performs unauthorized access of an online account on a website or server computer upon execution in the victim user computer. For example, the detector 212 may check the HTTP response for inconsistency, such as program code that supposedly gets an image from a website but actually does not. The detector 212 may detect a CSRF attack by looking for CSRF code in an HTTP request from a user computer. For example, the detector 212 may check the HTTP request for inconsistency, such as whether the type of content expected to be received by the web browser as indicated in the request matches the content that will be provided to the web browser.
<Img src=URL>
where the URL (uniform resource locator) should be for an image file, such as a .jpg or .gif file, as indicated by the tag “Img src.” For example, the URL
http://tw.i4.yimg.com/i/tw/hp/spirit/yahoo_logo.gif
is for an image file as indicated by the .gif extension of “yahoo_logo.gif.”
If the URL is for a content other than an image (e.g., a script), the detector 212 may deem the HTML image tag to be CSRF code and terminate the connection with the website 310. For example, the detector 212 may block communications to and from the website 310 and inform the user by providing a warning web page to the web browser 210.
If the HTTP response from the website 310 does not have any information indicative of a CSRF attack, the detector 212 may forward the HTTP response to the web browser 210 (arrow 302).
The web browser 210 may send an HTTP request to a website on the Internet (arrow 303). The HTTP request may be initiated by program code from the web page received from the website 310 or due to the user's navigation to another website. The detector 212 receives the HTTP request from the web browser 210 and analyzes the HTTP request for information indicative of a CSRF attack. In this example, the detector 212 examines the accept header field of the HTTP request to look for any inconsistency. The accept header field of an HTTP request indicates the type of content acceptable as a response to the HTTP request. If the web browser 210 is rendering an image tag as indicated by the corresponding HTTP response previously received by the web browser 210, the detector 212 may expect the accept header of the HTTP request to indicate an image.
As a particular example, the detector 212 operating as a local proxy for the web browser 210 may detect an HTTP request that the web browser 210 just sent. The HTTP request header includes an accept header field, which indicates the type of content the web browser 210 wants to retrieve by the HTTP Request. The following HTML request shows an example where the web browser 210 wants to retrieve a .gif image file:
http://tw.i4.yimg.com/i/tw/hp/spirit/yahoo_logo.gif
the browser will sent the following HTTP Request,
GET /i/tw/hp/spirit/yahoo_logo.gif HTTP/1.1
Host: tw.i4.yimg.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Accept: image/gif
Accept-Language: zh-tw,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Big5,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
In the above example, the accept header field indicates an image/gif type content, which is an image. If the web browser 210 is rendering an HTML image tag and requesting content other than an image file type, the detector 212 may deem the HTTP request to be part of a CSRF attack. In that case, the detector 212 may block the HTTP request and so inform the user by providing a notification web page to the web browser 210.
If the HTTP request does not include information indicative of a CSRF attack, the detector 212 may forward the HTTP request to its destination on the Internet (arrow 304).
In the example of
In the example of
At a later time, the detector 212 receives an HTTP request from the web browser 210 (step 505). The HTTP request may be for the same website from which the HTTP response was received (see step 501) or for another website. The detector 212 analyzes the HTTP request to detect a CSRF attack (step 506). The detector 212 performs a security action if the detector 212 detects a CSRF attack based on its analysis of the HTTP request (step 506 to step 503). Otherwise, if the detector 212 does not detect a CSRF attack from the HTTP request, the detector 212 forwards the HTTP request to its destination computer on the Internet (step 506 to step 507).
An effective method and apparatus for detecting CSRF attacks have been disclosed. While specific embodiments of the present invention have been provided, it is to be understood that these embodiments are for illustration purposes and not limiting. Many additional embodiments will be apparent to persons of ordinary skill in the art reading this disclosure.
Yang, Shun-Fa, Kuo, Hsin-hsin, Liang, Wen-Tien
Patent | Priority | Assignee | Title |
10165004, | Mar 18 2015 | CEQUENCE SECURITY, INC | Passive detection of forged web browsers |
10419431, | Sep 23 2015 | ADVANCED NOVA TECHNOLOGIES SINGAPORE HOLDING PTE LTD | Preventing cross-site request forgery using environment fingerprints of a client device |
10931686, | Feb 01 2017 | CEQUENCE SECURITY, INC | Detection of automated requests using session identifiers |
10931713, | Feb 17 2016 | CEQUENCE SECURITY, INC | Passive detection of genuine web browsers based on security parameters |
11381629, | Mar 18 2015 | Cequence Security, Inc. | Passive detection of forged web browsers |
11418520, | Jun 15 2015 | CEQUENCE SECURITY, INC | Passive security analysis with inline active security device |
Patent | Priority | Assignee | Title |
20090119769, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Jan 29 2008 | TREND MICRO INCORPORATED | (assignment on the face of the patent) | / | |||
Jan 29 2008 | YANG, SHUN-FA | TREND MICRO INCORPORATED | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 020506 | /0157 | |
Jan 29 2008 | LIANG, WEN-TIEN | TREND MICRO INCORPORATED | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 020506 | /0157 | |
Jan 29 2008 | KUO, HSIN-HSIN | TREND MICRO INCORPORATED | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 020506 | /0157 |
Date | Maintenance Fee Events |
Apr 16 2018 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
May 18 2022 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Date | Maintenance Schedule |
Nov 18 2017 | 4 years fee payment window open |
May 18 2018 | 6 months grace period start (w surcharge) |
Nov 18 2018 | patent expiry (for year 4) |
Nov 18 2020 | 2 years to revive unintentionally abandoned end. (for year 4) |
Nov 18 2021 | 8 years fee payment window open |
May 18 2022 | 6 months grace period start (w surcharge) |
Nov 18 2022 | patent expiry (for year 8) |
Nov 18 2024 | 2 years to revive unintentionally abandoned end. (for year 8) |
Nov 18 2025 | 12 years fee payment window open |
May 18 2026 | 6 months grace period start (w surcharge) |
Nov 18 2026 | patent expiry (for year 12) |
Nov 18 2028 | 2 years to revive unintentionally abandoned end. (for year 12) |